Microsoft's Security Report Card

Decaffeinated Jedi writes "In January 2002, Microsoft launched an initiative called 'Trustworthy Computing' aimed at building better security into its products. It's now two years later, and News.com serves up a report card evaluating Microsoft's efforts. Kevin Kean, a group manager at Microsoft's Security Response Center, points out that customers are better off now than they were before the company made the move to refocus on security issues. An analyst quoted in the article, Stephen O'Grady, agrees that he would give Microsoft 'improved marks,' but also notes that the company is not yet where it needs to be in terms of security. He goes on to suggest, however, that 'the numbers indicate that they are at least taking it seriously.' It sounds like Microsoft might have earned itself an Incomplete on this report card."

Re:Let's be honest

[Chemical+Serenity]

The DJBDNS suite can be added to that list. Hasn't changed in years... apparently hasn't ever needed to.

More information

[lintux]

You can find more information about the "Trustworthy Computing" initiative on this site. Quite cool that it still exists, actually. :-)

Re:Let's be honest

[Tim+C]

There are essentially two ways to update a modern Windows machine (ie Win2k or newer - I've not used 98 in years, or Me at all). You can either visit the Windows Update site and choose what updates you want to install, or you can use the Automatic Updates tool.

Automatic Updates checks for critical updates only, and works in three modes: notify me, download and notify me, or download and install. In the first two modes, you have complete control over what gets installed - even in the case that it's downloaded, it won't be installed unless you give the go-ahead. The third mode, of course, is fully automatic - available critical updates are downloaded and installed at a time specified by the user (it defaults to 3am, iirc).

Personally, in the year or so I've been using XP, I've found no reason not to have it set to automatically install updates. Nothing has broken, and if any unpleasant features have been installed for me, I certainly haven't noticed. (And given the way sites like /. and the Register jump all over anything MS does, I assume that nothing has been)

Re:Let's be honest

[Florian+Weimer]

Security is a job for all of us, not just Microsoft.

Yes, that's a nice spin -- it's your own fault when your computer has been successfully attacked, even if the vendor has known about the vulnerability for months.

The most important part about patching is that you have to do it. If something goes wrong, the vendor can blame you. You don't pay your virus scanner tax? Your fault. You don't pay for personal firewalling software? Again your fault. You don't apply that multi-megabyte security upgrade? Of course, it's your fault.

As long as hackers out there have the tuits to break into systems, security is everyone's business.

But if your basic infrastructure is broken, you can't fix it on your own. There's no workaround for gaping security holes in Internet Explorer, and Microsoft hasn't been able to deliver a patch to fix these.I nstead, they more and more "security researchers" end up on Microsoft's payroll and suddenly claim on public mailing lists that using Internet Explorer is safe as long as you use the right security settings.

By the way, Mozilla isn't better either (a number of unspecified security fixes in 1.6), and it looks as if the security audit has been stopped. But in contrast to Microsoft, they don't have to pay for the "this browser is safe to use" bullshit.

Re:Let's be honest

[Slightly+Askew]

You seem to have gotten lost somewhere along the way--updates are manual for a reason

This just goes to show how little experience most Linux desktop (not server) admins have in the real world. End users can not be trusted to update their machines. Yes, updates should be done manually to test for potential problems...in a lab environment. After they have been tested and approved in the lab, they should be rolled automatically to the end user. It is simply ludicrous to assume that one admin, or even a team of them, is going to manually install patches to 50,000 workstations every couple months.

Re:Microsoft Security

[rifter]

Microsoft Security. What's it all about? Is it good, or it is whack?

I'd have to say whack. As is this report. Crowing about the lack of reported vulnerabilities means nothing when you have paid security firms not to report vulnerabilities! Of COURSE the vulnerabilities reported have decreased. But have the real vulnerabilities decreased? Thanks to Microsoft, we will never know.

Without subjecting themselves to the same review other operating systems undergo, they have no cause to crow about a perceived dearth of vulnerabilities, especially since many previously reported vulnerabilities persist and will not be patched (but are not included in this report since they are not newly reported).

Re:Let's be honest

[glh]

1: Microsoft has been convicted of antitrust violations. Hence why .net can't be used by linux programmers.
What's stopping them? The go-mono project is quite active- I get at least 50 emails a day from linux programmers that are using .NET on linux. There is also .GNU and some other projects. Rotor is only for "educational purposes" but it runs on OpenBSD.

2: Blaster.
The most popular platform, ran by the most people in the world, etc. is bound to have security holes that get exploited. Unfortunately when 95% of the people out there don't know how to patch, these are blown way out of proportion. One company can only do so much to prevent the problems- anything else and you get complainers (see point #4).

Many linux groups are still nitpicky crazy people who instead of agreeing and copromising, they bicker. Even more are lazy, or greedy, or just plain stupid.
I've presented at LUG's and I would somewhat agree with this point. There are some people that are just interested in getting things work, but many of them are hecklers, complainers, etc. It's just the sub culture. I used to be "on the other side of the fence" and I know the mindset. Once I graduated college and started working with business, my perspective changed quite a bit. People are drawn to anger/hate/etc. and unfortunately leaders in the linux community help foster this so it continues to pervade.

4: Open source people see Microsoft's code signing as a way to enact DRM, which is a polite way of saying they want total world domination. Many linux guru's like the idea of code signing, they just don't like Microsoft and they have good reasons.

Exactly. MS starts implementing security to eliminate things that happen in #2, and now the complaints start rolling in. No matter what MS does there will always be naysayers. They will never be satisfied.

5: Linux, netware, and other operating systems are still used for servers more often than Microsoft's software. MS's software is only used on desktops because everyone knows it. I'v used KDE on suse 8.1, it works well for anyone accept power users and I see no reason for ma n' pa to spend $300 on a new copy of winxp so they can check their e-mail.

In most companies that I have worked in or with, Linux tends to be used primarily for non-critical systems. Solaris is used on any other *nix based system for critical things (eg. production oracle databases), and the hardware cost is astronomical in comparison. We are converting to Win2K servers. The license cost for a business is not what a consumer would pay, in fact it is significantly less (ex-$100 instead of $300 for XP). Most new PC's that companies order (ie, dell) come with WinXP anyway.

6: Coding tools for linux exist that are open source and that work well. Not everyone is coding in C. .Net isn't unique

Ok, as a .NET developer I definitely have some comments on this one. One of the biggest reasons I "switched" to MS was because of the development tools available. Not only that, but also the support, and the willingness of the developer community (tons and tons of support- just do a google search), as well as Microsoft. There are MS dev leads that help support developers FREE of charge. Sure, the cost of the tool can be pricey, but you aren't just buying the tool. Also, I have never found a tool that has all the needed capabilities/performance/integrated environment of VS.NET in an open source project (for any language). Some open source Java tools come close, but they tend to be really slow and lacking one or two key features that I need to be productive.

7: Linux is known for it's efficiency. On a server, efficiency > ease of use. Ms's software was designed for idiots,

I don't think it was designed for "idiots" but I agree that there is definitely a level of abstraction that MS unnecessarily gives the sys admin that ca

Re:Linux SecWindows Sec: NOT, my linux was rooted

[aaron_pet]

dude, windows has EASY security updates.

I use Gentoo Linux.. and had my box rooted right out in front of me.

and more often the linux security updates cause the computer not to boot!
(I updated some stuff on Suse with their updater... and blam, my boss was pissed at me, cause he told me NOT to update the boxes, and I was being paranoid about outsiders... but the suse update (kernel update) caused the computer not to boot even!

anyway, my gentoo was rooted, and I've had viruses on my windows... er.. dos on my 286 from a floppy... and from letting other people use my windows with infected floppies...

IMNSHO Linux is more difficult/mystic to keep secure... however it is getting better, and it's free... and I don't have to keep track of stupid serial numbers or pay for it.